Cisco stuff on need to know bases

Password reset and configuration reset

  1. Press Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON.
  2. If the break sequence does not work, see Standard Break Key Sequence Combinations During Password Recovery for other key combinations.
  3. Type confreg 0x2142 at the rommon 1> prompt to boot from Flash without loading the configuration.
  4. Type reset at the rommon 2> prompt.
  5. The router reboots but ignores its saved configuration.
  6. Type no after each setup question or press Ctrl-C to skip the initial setup procedure.
  7. Type enable at the Router> prompt.You are taken to the enable mode, and the Router# prompt appears.
  8. Important: Type configure memory or copy startup-config running-config to copy the nonvolatile RAM (NVRAM) into memory.

Do not type configure terminal .

  1. Type write terminal or show running-config .

The show running-config and write terminal commands show the configuration of the router. In this configuration you see under all the interfaces the shutdown command, which means all interfaces are currently shutdown. Also, you can see the passwords (enable password, enable secret, vty, console passwords, and so on) either in encrypted or unencrypted format. The unencrypted passwords can be re-used, the encrypted ones will have to be changed with a new one. #

  1. Type configure terminal and make the changes.
  2. The prompt is now hostname(config)#.
  3. Type enable secret <password> to change the enable secret password, for example.
  4. Issue the no shutdown command on every interface that is used.
  5. If you issue a show ip interface brief command, every interface that you want to use should be “up up”.
  6. Type config-register 0x2102, or the value you recorded in step 2.
  7. Press Ctrl-Z or end to leave the configuration mode.
  8. The prompt is now changed to hostname#.
  9. Type write memory or copy running-config startup-config to commit the changes.
line console/vty x y
exec timeout 0 0
logging synchronous

kako postavis geslo za XY vmesnik:

line console/vty/... 
password xxx

Corrupt/missing IOS image

  • set BAUD 115200
  • upload vix Xmodem

Cisco security tips


  • BOOTP server
  • Cisco Discovery Protocol (CDP)
  • HTTP Configuration and Monitoring
  • Domain Name System (DNS)
  • Packet Assembler / Disassembler (PAD)
  • Internet Control Message Protocol (ICMP) Redirects
  • IP Source Routing
  • Finger Service
  • Proxy ARP
  • IP Directed Broadcast

Cisco config tips

Cisco PIX *

no fixup protocol smtp 25

General security template:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
no service config
no service dhcp
no service compress-config  
no ip  http server
no ip bootp server
no ip finger
no ip identd
no ip source-route  
service nagle
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec

ip spd enable
no cdp run
logging buffered 16384
logging trap debugging
logging console warnings
ip subnet-zero
ip classless
! Deal with dead connections gracefully
service tcp-keepalives-in
service tcp-keepalives-out
! Do not allow packet to specify their own route
no ip source-route
! Enable Cisco Express Forwarding technology
ip cef

NTP (see also:

clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!ntp source Loopback0
!ntp master
ntp update-calendar
ntp server x.x.x.x
!ntp broadcast


snmp-server community NotTelling RO 1
snmp-server location Somewhere
snmp-server contact Network Operations Centre <noc@net.galaxy>
snmp-server enable traps snmp
snmp-server host SecretToo


no ip domain-lookup
ip domain-list
ip domain-list .
ip domain-name
ip name-server
ip name-server
line con 0
 exec-timeout 5 0
 password 7 <######>
 login authentication no_tacacs
 transport input none
line aux 0
 exec-timeout 5 0
 password 7 <#######>
 login authentication test
 modem InOut
 transport input all
 stopbits 1
 speed 19200
 flowcontrol hardware
line vty 0 4
 exec-timeout 5 0
 password 7 <########>
 login authentication test
 transport input telnet

General Interface Template:

no ip redirects
no ip direct broadcast
no ip proxy-arp
no ip unreachables
no ip mask-reply
no ip mroute-cache

General Security Template:

service password-encryption
enable secret <removed>
no enable password
! Limit the amount of ICMP traffic (DDOS protection)
rate-limit input access-group 110 2048000 8000 8000 conform-action transmit exceed-action drop
access-list 103 deny tcp any host established


Router 1:

interface ethernet 0/0
description Server LAN
ip address
standby 10 ip

Router 2:

interface ethernet 0/0
description Service LAN
ip address
standby 10 priority 150
standby 10 preempt
standby 10 ip

The preempt directive tells router1 and router2 that router2 should be used as default gateway whenever possible.
For example, if router2 were temporarily out of service, it would take over from router1 when it is returned to normal operation.


router bgp 200
neighbor remote-as 210
neighbor soft-reconfiguration in
neighbor x.x.x.x ebgp-multihop 255
no bgp dampening
“clear ip bgp neighbor soft”.
bgp dampening [[route-map map-name] | [half-life-time reuse-value suppress-value maximumsuppress-time]]
  • half-life-time – range is 1 – 45 minutes; current default is 15 minutes.
  • reuse-value – range is 1 – 20000; default is 750.
  • suppress-value – range is 1 – 20000; default is 2000.
  • max-suppress-time – maximum duration a route can be suppressed. Range is 1 – 255; default is four times half-life time (60 minutes).
  • show ip bgp dampened-routes – Display all the damped routes with the time remaining to unsuppress. Very useful for find out which sites are having instability problems.
clear ip bgp dampening [<address> <mask>] 

Clear the damping related information. This will also unsuppress the suppressed routes.
Very useful when one of your customers call you about a “unreachable” network that has been suppressed.

Some ISPs use private ASes within their network (typically but not exclusively for customers who multihome onto their backbone). There is a BGP option (CSCdi64489) which prevents any private ASes from being leaked to the Internet:

router bgp 109
neighbor remove-private-AS

ip dhcp excluded-address

ip dhcp pool my.lan
   dns-server 212.18.X.X
   lease 14 0


router ospf 100
 network area 0
 network area 0
 network area 0
 network 220.144 159.192 area 0
 passive-interface Serial1/0
 passive-interface Serial1/1
 passive-interface Loopback0
ACL renumbering

Router(config)#ip access-list resequence MyACL 10 10

vlan up/interface down

no autostate no keepalive

dot11 ssid TEST1
mbssid guest-mode
dot11 ssid TEST2
mbssid guest-mode

Then you have to enable mbssid globally on your radio-interface:

interface Dot11Radio0
ssid TEST1
ssid TEST2 

interface Dot11Radio1
ssid TEST1
ssid TEST2 

Cisco bash policer script

echo "policy-map $1M"
echo "class class-default"
echo "police cir $cir bc $nburst be $eburst conform-action set-dscp-transmit default exceed-action drop  violate-action drop"

cisco.txt · Last modified: 2015/05/21 15:01 by zagi
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready